Abstract
The existence of adversarial examples and the easiness with which they can be generated raise several security concerns with regard to deep learning systems, pushing researchers to develop suitable defence mechanisms. The use of networks adopting error-correcting output codes (ECOC) has recently been proposed to counter the creation of adversarial examples in a white-box setting. In this paper, we carry out an in-depth investigation of the adversarial robustness achieved by the ECOC approach. We do so by proposing a new adversarial attack specifically designed for multilabel classification architectures, like the ECOC-based one, and by applying two existing attacks. In contrast to previous findings, our analysis reveals that ECOC-based networks can be attacked quite easily by introducing a small adversarial perturbation. Moreover, the adversarial examples can be generated in such a way to achieve high probabilities for the predicted target class, hence making it difficult to use the prediction confidence to detect them. Our findings are proven by means of experimental results obtained on MNIST, CIFAR-10, and GTSRB classification tasks.
Highlights
Deep neural networks can solve complicated computer vision tasks with unprecedented high accuracies
We carried out a targeted attack with the target class chosen at random among the remaining M − 1 classes. e label t of the target class was used to run the C&W attack in equation (5) and layerwise origin-target synthesis (LOTS), while the codeword Ct associated to t is considered in (6) for the new attack
We use the attack success rate (ASR) to measure the effectiveness of the attack, i.e., the percentage of generated adversarial examples that are assigned to the target class, and the peak signal-to-noise ratio (PSNR) to measure the distortion introduc√e d by the attack, which is defined as PSNR 20∗log10(255∗ N /‖δ‖2), where ‖δ‖2 is the L2-norm of the perturbation and N is the size of the image
Summary
Deep neural networks can solve complicated computer vision tasks with unprecedented high accuracies They have been shown to be vulnerable to adversarial examples, namely, properly crafted inputs introducing small (often imperceptible) perturbations, inducing a classification error [1,2,3]. In a white-box setting wherein the attacker has a full knowledge of the attacked network, including full knowledge of the defence mechanism, more powerful attacks can be developed, tipping again the scale in favour of the attacker [4, 13] In this race of arms, a novel defence strategy based on error-correcting output coding (ECOC) [14] has been proposed recently in [15], to counter adversarial attacks in a white-box setting. With the ECOC approach, instead, the network is trained in such a way to produce normalized logit values that correlate well with the codeword used to encode the class the input sample belongs
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
